From fbd9ba81449ebe08fa5f050638b009d4f2ba8de6 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 18 Sep 2023 10:17:33 -0700 Subject: [PATCH] Revert "Disable base role testing that runs code on localhost" We can now run untrusted code on the executor, so we can re-enable these tests. This reverts commit 44d2187e7fcea0683c75db530458088b8371bb4e. Change-Id: I65960af09a3cf3da1e780a96b6d13ddba3ce73d8 --- test-playbooks/base-roles/base.yaml | 3 +- .../base-roles/fetch-subunit-output.yaml | 65 +++++++++---------- .../base-roles/fetch-zuul-cloner.yaml | 53 +++++++-------- 3 files changed, 55 insertions(+), 66 deletions(-) diff --git a/test-playbooks/base-roles/base.yaml b/test-playbooks/base-roles/base.yaml index 24813285f..d760f4af6 100644 --- a/test-playbooks/base-roles/base.yaml +++ b/test-playbooks/base-roles/base.yaml @@ -6,8 +6,7 @@ # Note: set-zuul-log-path-fact is tested by emit-job-header.yaml - import_playbook: emit-job-header.yaml - import_playbook: ensure-output-dirs.yaml -# This runs local code so cannot be tested in this way. -# - import_playbook: prepare-workspace-git.yaml +- import_playbook: prepare-workspace-git.yaml - import_playbook: configure-mirrors.yaml - import_playbook: fetch-zuul-cloner.yaml - import_playbook: validate-host.yaml diff --git a/test-playbooks/base-roles/fetch-subunit-output.yaml b/test-playbooks/base-roles/fetch-subunit-output.yaml index cdcc433aa..6ab3e4c00 100644 --- a/test-playbooks/base-roles/fetch-subunit-output.yaml +++ b/test-playbooks/base-roles/fetch-subunit-output.yaml @@ -68,25 +68,21 @@ - local_html_test_results is not changed - local_html_test_results is succeeded - # Disabled as we cannot run shell on localhost outside of a - # trusted context. # only one subunit file; the failed result should be hidden - # - name: Check the content of the HTML file - # delegate_to: localhost - # shell: | - # GLOBAL_RESULT=1 - # zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ - # {{ zuul.executor.log_root }}/testr_results.html - # T1=$? - # zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ - # {{ zuul.executor.log_root }}/testr_results.html - # T2=$? - # if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then - # GLOBAL_RESULT=0 - # fi - # exit $GLOBAL_RESULT - - name: nooping task because yamllint complains about the comment above - debug: {} + - name: Check the content of the HTML file + delegate_to: localhost + shell: | + GLOBAL_RESULT=1 + zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ + {{ zuul.executor.log_root }}/testr_results.html + T1=$? + zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ + {{ zuul.executor.log_root }}/testr_results.html + T2=$? + if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then + GLOBAL_RESULT=0 + fi + exit $GLOBAL_RESULT # The following test(s) require(s) the previous playbook - name: Run the fetch-subunit-output role with multiple subunits @@ -117,21 +113,18 @@ - local_subunit_file is succeeded - local_html_test_results is not changed - local_html_test_results is succeeded - # Disabled as we cannot run shell on localhost outside of a - # trusted context. - # - name: Check the content of the HTML file - # delegate_to: localhost - # shell: | - # GLOBAL_RESULT=1 - # zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ - # {{ zuul.executor.log_root }}/testr_results.html - # T1=$? - # zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ - # {{ zuul.executor.log_root }}/testr_results.html - # T2=$? - # if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then - # GLOBAL_RESULT=0 - # fi - # exit $GLOBAL_RESULT - - name: nooping task because yamllint complains about the comment above - debug: {} + + - name: Check the content of the HTML file + delegate_to: localhost + shell: | + GLOBAL_RESULT=1 + zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ + {{ zuul.executor.log_root }}/testr_results.html + T1=$? + zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ + {{ zuul.executor.log_root }}/testr_results.html + T2=$? + if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then + GLOBAL_RESULT=0 + fi + exit $GLOBAL_RESULT diff --git a/test-playbooks/base-roles/fetch-zuul-cloner.yaml b/test-playbooks/base-roles/fetch-zuul-cloner.yaml index 425481368..55dcc9153 100644 --- a/test-playbooks/base-roles/fetch-zuul-cloner.yaml +++ b/test-playbooks/base-roles/fetch-zuul-cloner.yaml @@ -25,32 +25,29 @@ - cloner.stat.exists - cloner.stat.mode == "0755" - # Disabled as this depends on running workspace setup which requires - # being able to run code on the executor from an untrusted context and - # this is not allowed. - # - name: Zuul clone something in required-projects - # shell: - # executable: /bin/bash - # cmd: | - # CLONEMAP=`mktemp` - # function cleanup { - # rm -f $CLONEMAP - # } - # trap cleanup EXIT - # cat > $CLONEMAP << EOF - # clonemap: - # - name: opendev/base-jobs - # dest: {{ ansible_user_dir }} - # EOF - # /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \ - # --cache-dir /opt/git https://opendev.org \ - # opendev/base-jobs - # register: clone_with_required + - name: Zuul clone something in required-projects + shell: + executable: /bin/bash + cmd: | + CLONEMAP=`mktemp` + function cleanup { + rm -f $CLONEMAP + } + trap cleanup EXIT + cat > $CLONEMAP << EOF + clonemap: + - name: opendev/base-jobs + dest: {{ ansible_user_dir }} + EOF + /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \ + --cache-dir /opt/git https://opendev.org \ + opendev/base-jobs + register: clone_with_required - # - name: Check if repository was cloned - # stat: - # path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs" - # register: with_required_stat + - name: Check if repository was cloned + stat: + path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs" + register: with_required_stat - name: Zuul clone something not in required-projects shell: @@ -80,8 +77,8 @@ - name: Validate zuul-cloner shim results assert: that: - # - clone_with_required is succeeded - # - clone_with_required is changed - # - with_required_stat.stat.exists + - clone_with_required is succeeded + - clone_with_required is changed + - with_required_stat.stat.exists - clone_without_required is failed - not without_required_stat.stat.exists